Computer virus steals $325K from district

By Maya T. Prabhu, Assistant Editor

October 1st, 2009

The FBI is investigating what it is calling an online computer intrusion that siphoned several hundred thousands of dollars from at least one Chicago area school district’s bank accounts, prompting the school district to beef up its IT network security.

FBI spokesman Ross Rice, who is with the Chicago office, said there had been no arrests or indictments as of press time and that the incident was still under investigation.

Rice said officials believe that some computers at the Crystal Lake, Ill., School District were infected with the Clampi virus. Clampi, which has been associated with a number of banking thefts throughout the country, is designed to steal banking credentials.

"We’ve had similar reports from other school districts in and around the Chicago area, but nothing definitive at this point," Rice said.

Large sums of money were taken from Crystal Lake over the course of a few days in late June and early July, said Superintendent Donn Mendoza. A larger amount initially was reported missing from the Crystal Lake district, but some of the money was recovered and the unauthorized transactions were stopped, leaving the district at a $325,000 net loss, he said.

"We engage in periodic monitoring of our bank accounts, and in the process … we noted irregularities, which then caused us to investigate more, which led to ultimately learning that we had somebody compromise some of our financial accounts," Mendoza said.

After the discovery of the missing funds, Crystal Lake hired an electronic security firm and underwent a comprehensive audit. Some of the recommendations already have been implemented, and the district is in the process of making additional changes. Mendoza also said the district filed an insurance claim to recover the lost money, though the matter had not yet been resolved as of press time.

"It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi," researcher Patrick Fitzgerald wrote. "Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze."

Fitzgerald explains that Clampi’s code is so complex, it makes it hard for researchers to determine exactly what the virus does.

"It has the capability to download arbitrary binaries that are then stored in the registry and loaded straight to memory, avoiding traditional antivirus scanning techniques that scan files on disk. It remains active on the network, connecting back to a server and waiting for commands. Clampi also has the ability to spread to other machines on the network through network shares–this feature is the reason we are seeing such widespread infections," he wrote.

"So far, the motivation behind Clampi appears to be financial. It has the ability to steal login credentials for online banking sites, something we have observed in a controlled lab environment. In one case, we saw attempts to inject JavaScript into a well-known banking site in an attempt to steal login details."

Though it’s impossible for a school district to be completely immune to cyber attacks, Mendoza said district officials should take steps to minimize opportunities for cyber criminals to compromise their networks.

"I think this is going to be a challenge from this point forward for all public bodies. The technology issues we’re facing, particularly as it relates to cyber crimes, [are] very sophisticated. And it almost seems like we’re always working to be reactive," he said.

Mendoza said that, in his experience, public school districts rarely engage in formal, comprehensive, third-party IT audits, "which is exactly what we did" after discovering the attack.

"And the recommendations we received were excellent. So I would encourage people to do that," he said. "And make sure that … district security procedures [are] up to date on the latest enhancements and … best practices [in] IT security."

Mendoza said whoever is responsible for handling district finances needs to monitor banking activity daily.

"I would also recommend they have secure protocols in place regarding how … finances are transferred from one account to another," he said. "The other thing I’d recommend is that if districts are doing electronic banking transactions, they take a hard look at what type of encryption and security protocols are in place to ensure the most secure process for moving money from one account to another."